No Signalling and Quantum Key Distribution 
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Standard quantum key distribution protocols are provably secure against eavesdropping attacks, 
if quantum theory is correct. It is theoretically interesting to know if we need to assume the validity 
of quantum theory to prove the security of quantum key distribution, or whether its security can 
be based on other physical principles. The question would also be of practical interest if quantum 
mechanics were ever to fail in some regime, because a scientifically and technologically advanced 
eavesdropper could perhaps use post-quantum physics to extract information from quantum com- 
munications without necessarily causing the quantum state disturbances on which existing security 
proofs rely. Here we describe a key distribution scheme provably secure against general attacks by 
a post-quantum eavesdropper who is limited only by the impossibility of superluminal signalling. 
The security of the scheme stems from violation of a Bell inequality. 



PACS numbers: 03.67.-a 03.67.Dd 03.65.Ta 

With the discoveries of quantum cryptography Q and 
quantum key distribution [3- 01- it is now well under- 
stood that cryptographic tasks can be guaranteed secure 
by physical principles. For example, we now have proto- 
cols for various important tasks, including key distribu- 
tion, that are provably secure provided quantum theory 
is correct Protocols for bit commitment have been 
developed with security based only on the impossibility 
of superluminal signalling yj, |6( . The possibility of bas- 
ing cryptographic security on known superselection rules 
has also recently been discussed 

In this paper we investigate whether it is possible to 
devise a quantum key distribution scheme that is prov- 
ably secure if superluminal signalling is impossible. We 
allow for eavesdroppers who can break the laws of quan- 
tum mechanics, as long as nothing they can do implies 
the possibility of superluminal signalling. In general, this 
will mean that the security proofs of existing quantum 
key distribution protocols are no longer valid, as we can 
no longer assume that quantum theory correctly predicts 
the tradeoff between the information that Eve can ex- 
tract and the disturbance she must necessarily cause. 

As we show below, there is an intimate connection be- 
tween the possibility of such a protocol and the violation 
of a Bell inequality H E3- Non-local ( in the sense of 
Bell inequality violating) correlations constitute an ex- 
ploitable resource for this task, just as entanglement is a 
resource for conventional quantum key distribution. We 
present a quantum scheme, involving Bell violation, that 
is secure against general attacks by a non-signalling Eve. 

One motivation for this work is practical: existing se- 
curity proofs assume the validity of quantum theory, and 
while quantum theory has been confirmed in an impres- 



sive range of experiments, it remains plausible that some 
future experiment will demonstrate a limit to its domain 
of validity. Admittedly, it is also conceivable that some 
future experiment could demonstrate the possibility of 
superluminal signalling. But the possibilities are logi- 
cally independent: quantum theory could fail without 
violating standard relativistic causality, and vice versa. 
A cryptographic scheme that can be guaranteed secure 
by either of two physical principles is more trustworthy 
than one whose security relies entirely on one. 

There are also compelling theoretical motivations. Un- 
derstanding which cryptographic tasks can be guaranteed 
secure by which physical principles improves our under- 
standing of the relationship between information theory 
and physical theory. Our work also demonstrates a new 
way of proving security for quantum protocols, which 
may be useful in other contexts, and sheds new light on 
non-locality and its relation to secrecy. 



A Quantum Protocol for Secret Bit Distribution 

We assume that Alice and Bob have a noise-free 
quantum channel and an authenticated classical chan- 
nel. Consider the following protocol, which we show 
below generates a single shared secret bit, guaran- 
teed secure against general attacks by post-quantum 
eavesdroppers. Define the bases X r — {cos^|0) + 
sin 1), — sin S^|0) +cos |1)} for integer r. For each 
basis, we define outcomes and 1 to correspond respec- 
tively to the projections onto the first and second basis 
elements. Thus X t+ n contains the same basis states as 
X r with the outcome conventions reversed; i.e. we inter- 
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pret the bases X_i and Xn below to be Ajv_i and X 
with outcomes reversed. We take the security parameters 
N and M (defined below) to be large positive integers. 
To simplify the analysis, we will take M -C N. 

1. Alice and Bob share n — MN 2 pairs of systems, 
each in the maximally entangled state \ip—) = 
1/V2(|01>-|10». 

2. Alice and Bob choose independent random ele- 
ments r\ and r l g of the set {0, 1, . . . , N — 1} for 
each i from 1 to MN 2 , and measure their i-th par- 
ticle in the bases A; = A„> and B; = X r i . 

'a 1 b 

3. When all their measurements are complete, Alice 
and Bob announce their bases over a public, au- 
thenticated, classical channel. 

4. Alice and Bob abort the protocol and restart unless 
2MN<Y. E \{j:A i =X u B j =X i+0 }\. 

i c=— 1,0,1 

(The expected size of the sum is 3MN. The prob- 
ability of the condition failing is of order e~ MN ' 6 .) 

5. The outcomes are kept secret for one randomly cho- 
sen pair for which the bases chosen were Xi and 
Xi +C for some i and c = — 1, or 1. We call bases of 
this form neighbouring or identical. The outcomes 
are announced for all the remaining pairs (for all 
basis choices). 

6. Alice and Bob abort the protocol if their outcomes 
a and b are not anti-correlated (i.e. a ^ b) in all the 
cases where they chose neighbouring or identical 
bases. 

7. If the protocol is not aborted, their unannounced 
outcomes define the secret bit, which is taken by 
Alice to be equal to her outcome and by Bob to be 
opposite to his. 

Eavesdropping attacks 

To analyse the security of this protocol, we must de- 
scribe formally the actions available to post-quantum 
eavesdroppers. To give Eve maximum power, we assume 
that each pair of systems is produced by a source under 
her control. In a general, or collective, attack, Eve pre- 
pares 2n + 1 systems in a post-quantum state A, sending 
n systems to Alice, n to Bob, and keeping 1. The state 
A defines measurement probabilities 

P\(abe\ABE), 

where A = {A\, . . . , A n }, B = {Bi, . . . , B n } are sets of 
Alice's and Bob's possible measurement choices and E = 



{Ei} is a set containing a possible measurement choice 
of Eve, with corresponding outcomes a, b, e. This state 
may be non-quantum and non-local, but must not allow 
signalling even if the parties cooperate. Thus, for any 
partitionings A = A 1 UA 2 , B = B 1 UB 2 and E = E 1 \JE 2 
(possibly including empty subsets), and any alternative 
choices A 2 , B 2 , E 2 , we require that 

Px(a 1 a 2 b 1 b 2 e 1 e 2 \A 1 A 2 B 1 B 2 E 1 E 2 )= (1) 

a 2 6 2 e 2 

J2 Px(a 1 a 2 b 1 b 2 e 1 e 2 \A 1 A 2 B 1 B 2 E 1 E 2 ). 

a 2 b 2 e2 

Eve may wait until all Alice's and Bob's communications 
are finished before performing her measurement. 

We need a further technical assumption. It seems nat- 
ural to postulate that, once Eve has prepared a post- 
quantum state A, the range of measurements available 
to her and their outcome probabilities are (up to rela- 
bellings) time-independent. In fact, a slightly weaker as- 
sumption suffices: we assume that in post-quantum the- 
ory, as in quantum theory, measurements on a shared 
state cannot be used to send signals between the parties 
in any configuration (even if not spacelike separated). If 
this assumption were dropped, one could allow a theory 
in which information about the bases and outcomes of 
any measurements carried out by Alice and Bob propa- 
gates to Eve at light speed, so she can obtain these data 
by a later measurement timelike separated from Alice's 
and Bob's. While theories of this type may seem implau- 
sible, or even pathological, they can be made internally 
consistent without allowing superluminal communication 
|l2l | . Clearly, secure key distribution would be impossible 
if Eve could exploit a theory of this type. 

One can justify excluding this possibility by extending 
a standard cryptographic assumption to post-quantum 
cryptology. Conventional security analyses of quantum 
key distribution require that Alice's and Bob's laborato- 
ries are completely secure against Eve's scrutiny — a nec- 
essary cryptographic assumption, which does not follow 
from the laws of quantum theory. Similarly, in the post- 
quantum context, we assume that no information about 
events in Alice's and Bob's laboratories — in particular, 
their measurements or outcomes — subsequently propa- 
gates to Eve. Put another way, Alice and Bob have to 
assume they can establish secure laboratories, else cryp- 
tography is pointless. The aim is to guarantee secure 
key distribution modulo this assumption. We shall prove 
that the protocol above is indeed secure against general 
attacks. 

Proof of security 

We define Aj, Bj to be Alice's and Bob's basis choices 
for the j-th pair; these are random variables, each mea- 
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surement occuring with probability 1/N . We also define 
a,j , bj to be their measurement outcomes and write 



c=-l,0,l i=0 

Px(a j ?b j \A d =X i ,B j = Xi 



3N 



(Recall that X-i and Xn are Xn-i and Xq with out- 
comes reversed.) Note that if A is local we have tj < 
1 — . Thus this is a generalised Bell inequality (it is in 
fact similar to the chained Bell inequality of Braunstein 
and Caves 0.) If there is no eavesdropping, so that 
genuine singlet states are shared, then quantum mechan- 
ics gives t j = 1 — 0(1/ (N 2 )), for all j, thus violating 
the inequality for large enough N. This is crucial for the 
security of the protocol; it is violation of this inequality 
that allows Eve's knowledge to be bounded. Below, we 
shall derive a lower bound on the value of t s for the secret 
pair s, given that Alice's and Bob's tests are passed, and 
given that Eve is not using a strategy that almost always 
fails the tests. Then we show that the lower bound on t s 
implies an upper bound on Eve's information, which can 
be made arbitrarily small as M, N become large. 

From now on, we assume that there is at least one pair 
for which Alice's and Bob's measurements were neigh- 
bouring or identical (otherwise they will abort). Let s, a 
random variable, be the index of the pair chosen to de- 
fine the secret bit. A post-quantum state A determines 
the probability Pa (pass) that Alice's and Bob's tests are 
passed, so that they do not abort the protocol. 

Lemma For any A such that Pa (pass) > e, we 
have that 

P\(a s + 6 s |pass) > 1 - l/(2MNe). 

Proof Let m, a random variable, be the number 
of pairs for which the measurements were neighbouring 
or identical. For a given pair, let C be the condition that 
the measurements were neighbouring or identical and the 
outcomes anti-correlated. If the secret pair satisfies C, 
then Alice and Bob will agree on the value of the secret 
bit. We denote by #(C) the number of pairs for which C 
holds. Define the following four mutually exclusive and 
collectively exhaustive events. 

E to < 2MN 

Ei to > 2MN and #(C) < m - 1 

E 2 m> 2MN and #(C) = m - 1 

E 3 to > 2MN and #(C) = m. 

Note that if Eo or E\ occurs, then Alice and Bob will 
definitely abort. If E^ occurs, then Alice and Bob will 
definitely not abort. A given post-quantum state A de- 
fines a probability for each of these four events, which we 
write as ¥\{Ei) = g,-. 



Now we have PA(pass) = q 3 + q 2 PA(pass|i?2). If E 2 
occurs, then the test will only be passed if the secret pair 
do not satisfy C. This means that we have 



P A ( P ass|£ 2 ) = P{m = i\E 2 )/i 

i=2MN 

< 1/(2MN). 



(2) 



But PA(pass) > e, so we can write 93 > e — q 2 /(2MN). 
Therefore 



P A (a 5 . ^ bypass) 



q-3 + Q2 P\ (pass \E 2 ) 
> 1 - l/(2MNe), (3) 



where the inequality follows from the fact that the right 
hand side of the first line either equals 1 or is monotoni- 
cally increasing with (73. QED. 

It follows from the lemma above, the no-signalling con- 
dition and the chain rule for conditional probabilities 
that, conditioned on passing the test, 



t s > 1 - l/{2MNe). 



(4) 



From now on, we assume that the test is passed, and we 
can consider that Alice, Bob and Eve share three sys- 
tems, such that Eq. is satisfied. We now show that 
the knowledge that Eve can get by performing a mea- 
surement on her system is small. 

We do this by contradiction. Thus suppose that with 
probability 5 > 0, Eve gets an outcome eo such that 

Pa (a, = 6, b s = b \ A s = X k , B s = X k+d , e ) 

>(l/2)(l + 0. 

for some k and d = —1,0 or 1 , where 8' > and b S 
{0, 1}. Define 



pf = P A (a s = b\A s = X,, e ) 
pf = P A (6 S = b\B s = Xi, e ), 



The no-signalling condition ensures that pf is in- 
dependent of which measurement Bob performs, and 
similarly that pf is independent of which measurement 
Alice performs. This enables us to write pf^Pk+d > 
(1/2) (l-r-<T). Now 



P A (a s ^ b s I A s = X^ B s = X i+C , e ) 
Pa (a s =6,6, = b\ A„ 



Xi, B s 



X, 



eo) 

+ P A (a s = 6, b s = 6 I A s = Xi, B s = X l+C , e ) 
< min(pf ,pf +c ) + min(l - pf , 1 - pf +c ) 



l-\pf -* 
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Now, using 0} again and the triangle inequality, we have 
N-i 

c=-l,0,l i=0 

N-l 

G=-1,0,1 1 = 
4=0 

< 3N-\2p£-l\ 

< 3N-8'. 

This implies that, conditioned only on passing the test, 

t s < 1 - (SS')/(3N). (5) 

For any fixed 6,5' > 0, we can choose M, N, e such that 
this is inconsistent with Eq. |0J. M must also be cho- 
sen so that quantum correlations are unlikely to fail the 
test. For example, taking M — iV 3 / 4 , e = TV -1 / 4 achieves 
this for sufficiently large N. (Note that if Alice's and 
Bob's outcomes are classically correlated via a local hid- 
den variable theory, the chances of passing the test are 
very small, and there exists no choice of parameters for 
which Eqs. JIJ and JSJ) are inconsistent.) 

Although we restricted the security parameter M ^ N 
to simplify the discussion, the protocol can be generalised 
to allow M arbitrarily large. In this case, Alice's and 
Bob's security test is that the number of pairs for which 
the outcomes are not anti-correlated should be statisti- 
cally consistent with quantum predictions; the method 
of our security proof generalises to cover this case. 



More generally, we can say that the protocol works be- 
cause, once the no-signalling condition is assumed, non- 
local correlations satisfy a monogamy condition analo- 
gous to that of entanglement in quantum theory. The 
monogamy of non-locality was first noted in Ref. 
where it was shown that no signalling implies that there 
exist certain sets of non-quantum correlations such that 
Alice's and Bob's outcomes cannot be correlated with a 
third party. Here we have shown that there are quantum 
correlations with the same property, and used these to 
construct a key distribution protocol. 

It is interesting to contrast the Ekert quantum key dis- 
tribution protocol 3], in which a test of the Clauser- 
Horne-Shimony-Holt (CHSH) inequality is per- 
formed. It may appear as if non-locality is playing a 
crucial role here, too. In this case, however, the pur- 
pose of the CHSH inequality test is to verify that the 
shared states are close to singlets — and this is a task 
that other measurements, not involving non-locality, can 
perform equally well |l5|. 
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Discussion 

The above security proof shows that our protocol al- 
lows Alice and Bob to generate a single shared bit and 
guarantee its security even against collective attacks by 
a post-quantum Eve. The protocol can be generalised to 
generate an arbitrary shared secret bit string, with the 
same security guarantee. 

Non-locality is crucial to the success of the protocol. 
It is easy to see that if Alice and Bob were violating no 
Bell inequality, then Eve could eavesdrop perfectly by 
preparing each pair of systems in a post-quantum state 
that is deterministic (where deterministic means that all 
probabilities defined by the state are or 1) and local. 
This would give Eve perfect information about Alice's 
and Bob's measurement outcomes. On the other hand, if 
Alice and Bob are violating a Bell inequality, then at least 
some of the post-quantum states prepared by Eve must 
be non-local. But any state that is deterministic and non- 
local allows signalling 01 . So this trivial eavesdropping 
strategy is not available to Eve. 
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